Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/11/2022, 05:48
Static task
static1
Behavioral task
behavioral1
Sample
SYSTEM.Critical.Upgrade.Win10.0.a1ae65ce5a20f0.msi
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
General
-
Target
SYSTEM.Critical.Upgrade.Win10.0.a1ae65ce5a20f0.msi
-
Size
2.7MB
-
MD5
9c8ed3456e1dabd6e56b66ffffd3c0b7
-
SHA1
e7c57de1ebc26028defa533c4ec1fb764050cd09
-
SHA256
0c614dec198a74bb6b4c10efce8a4708f74aca9bd1eb20a5953212d221791cba
-
SHA512
3c14b9c3cea0614405d3f2e2eb99dd4cbd0d6e30492abbe7c84a37f820bd20661b3eb04eb7cd6e1d3318adb2286ef9fa25478cb90bc6e3f908073da5195ade3e
-
SSDEEP
3072:6aDyTjwAVzJwjUQzzVzfzjzZz1zvzzrzzvztzzNz9zNzzzzhRJg:6aD0jrJwnJ
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 1212 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Installer\6c73ba.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c73ba.msi msiexec.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1496 msiexec.exe 1496 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1048 msiexec.exe Token: SeIncreaseQuotaPrivilege 1048 msiexec.exe Token: SeRestorePrivilege 1496 msiexec.exe Token: SeTakeOwnershipPrivilege 1496 msiexec.exe Token: SeSecurityPrivilege 1496 msiexec.exe Token: SeCreateTokenPrivilege 1048 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1048 msiexec.exe Token: SeLockMemoryPrivilege 1048 msiexec.exe Token: SeIncreaseQuotaPrivilege 1048 msiexec.exe Token: SeMachineAccountPrivilege 1048 msiexec.exe Token: SeTcbPrivilege 1048 msiexec.exe Token: SeSecurityPrivilege 1048 msiexec.exe Token: SeTakeOwnershipPrivilege 1048 msiexec.exe Token: SeLoadDriverPrivilege 1048 msiexec.exe Token: SeSystemProfilePrivilege 1048 msiexec.exe Token: SeSystemtimePrivilege 1048 msiexec.exe Token: SeProfSingleProcessPrivilege 1048 msiexec.exe Token: SeIncBasePriorityPrivilege 1048 msiexec.exe Token: SeCreatePagefilePrivilege 1048 msiexec.exe Token: SeCreatePermanentPrivilege 1048 msiexec.exe Token: SeBackupPrivilege 1048 msiexec.exe Token: SeRestorePrivilege 1048 msiexec.exe Token: SeShutdownPrivilege 1048 msiexec.exe Token: SeDebugPrivilege 1048 msiexec.exe Token: SeAuditPrivilege 1048 msiexec.exe Token: SeSystemEnvironmentPrivilege 1048 msiexec.exe Token: SeChangeNotifyPrivilege 1048 msiexec.exe Token: SeRemoteShutdownPrivilege 1048 msiexec.exe Token: SeUndockPrivilege 1048 msiexec.exe Token: SeSyncAgentPrivilege 1048 msiexec.exe Token: SeEnableDelegationPrivilege 1048 msiexec.exe Token: SeManageVolumePrivilege 1048 msiexec.exe Token: SeImpersonatePrivilege 1048 msiexec.exe Token: SeCreateGlobalPrivilege 1048 msiexec.exe Token: SeCreateTokenPrivilege 1048 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1048 msiexec.exe Token: SeLockMemoryPrivilege 1048 msiexec.exe Token: SeIncreaseQuotaPrivilege 1048 msiexec.exe Token: SeMachineAccountPrivilege 1048 msiexec.exe Token: SeTcbPrivilege 1048 msiexec.exe Token: SeSecurityPrivilege 1048 msiexec.exe Token: SeTakeOwnershipPrivilege 1048 msiexec.exe Token: SeLoadDriverPrivilege 1048 msiexec.exe Token: SeSystemProfilePrivilege 1048 msiexec.exe Token: SeSystemtimePrivilege 1048 msiexec.exe Token: SeProfSingleProcessPrivilege 1048 msiexec.exe Token: SeIncBasePriorityPrivilege 1048 msiexec.exe Token: SeCreatePagefilePrivilege 1048 msiexec.exe Token: SeCreatePermanentPrivilege 1048 msiexec.exe Token: SeBackupPrivilege 1048 msiexec.exe Token: SeRestorePrivilege 1048 msiexec.exe Token: SeShutdownPrivilege 1048 msiexec.exe Token: SeDebugPrivilege 1048 msiexec.exe Token: SeAuditPrivilege 1048 msiexec.exe Token: SeSystemEnvironmentPrivilege 1048 msiexec.exe Token: SeChangeNotifyPrivilege 1048 msiexec.exe Token: SeRemoteShutdownPrivilege 1048 msiexec.exe Token: SeUndockPrivilege 1048 msiexec.exe Token: SeSyncAgentPrivilege 1048 msiexec.exe Token: SeEnableDelegationPrivilege 1048 msiexec.exe Token: SeManageVolumePrivilege 1048 msiexec.exe Token: SeImpersonatePrivilege 1048 msiexec.exe Token: SeCreateGlobalPrivilege 1048 msiexec.exe Token: SeCreateTokenPrivilege 1048 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1048 msiexec.exe 1048 msiexec.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1212 1496 msiexec.exe 28 PID 1496 wrote to memory of 1212 1496 msiexec.exe 28 PID 1496 wrote to memory of 1212 1496 msiexec.exe 28 PID 1496 wrote to memory of 1212 1496 msiexec.exe 28 PID 1496 wrote to memory of 1212 1496 msiexec.exe 28
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SYSTEM.Critical.Upgrade.Win10.0.a1ae65ce5a20f0.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1048
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 8EA815F5C4C18534C0385CF59B1BAD99 C2⤵
- Loads dropped DLL
PID:1212
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1004
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000324" "0000000000000060"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:764
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD550c32d4bfd44d3de980ab46c5622c7d3
SHA11b77f96a348ff7618db4f83dde8dea7ada785f60
SHA2566bf6ee6857585eae645e9fef30a4b1cff4419863d572ce1141f7515de65b3cca
SHA5120804f043c346e8c93d1c3e560d084054fe983009471f2805caab0fb063b4f7d779a6ff49a793f7a4f719565959f39185589557befaa9b2e22a86a61ed4b33aed
-
Filesize
80KB
MD550c32d4bfd44d3de980ab46c5622c7d3
SHA11b77f96a348ff7618db4f83dde8dea7ada785f60
SHA2566bf6ee6857585eae645e9fef30a4b1cff4419863d572ce1141f7515de65b3cca
SHA5120804f043c346e8c93d1c3e560d084054fe983009471f2805caab0fb063b4f7d779a6ff49a793f7a4f719565959f39185589557befaa9b2e22a86a61ed4b33aed